DATA PROTECTION IMPACT ASSESSMENT (DPIA)

NGL Video Recording & Remote Judging System — Summary DPIA

1. Project Overview

NGL collects and processes video recordings of children’s gymnastics routines for remote judging.
Videos are uploaded by clubs to a secure platform, accessed only by DBS-checked judges.

2. Data Involved

• Video of children (biometric and identifying data)

• Name, club, age group

• Scoring information

This counts as high-risk data under GDPR.

3. Purpose

• Enable virtual judging rounds

• Produce accurate competition results

• Manage scoring appeals

4. Lawful Basis

• Explicit parental consent

• Legitimate interest for competition functions

• Public interest in safe organisation of youth sport (optional secondary basis)

5. Risks Identified

Risk Likelihood Impact Mitigation

Unauthorised access Low High Secure portal, restricted judge access, password

Downloading/sharing videos Low High No download function, judge agreement

Data breach Low High Encryption, access logging, admin controls

Parental withdrawal mid-round Medium Medium Clear consent form, deletion protocol

Incorrect retention Low Medium Automated 30-day deletion

6. Safeguarding Measures

• All judges DBS checked

• Judge Confidentiality Agreement

• No storage of data outside the portal

• DSO oversight of the platform

• Reporting mechanism for concerns

7. Technical Controls

• End-to-end encryption

• Access logs and monitoring

• Device security requirements for judges

• Role-based permissions

• Timed access expiry

8. Retention and Deletion

• Videos deleted within 30 days (unless requested otherwise by the parent)

• Backups aged out automatically

• Revocation process for parent requests

9. Residual Risk

After mitigations, risk is assessed as Low and acceptable.

10. Approval

Signed by: _____________________________ (Data Protection Lead)
Date: __________________________________